How to capture a FTP session password with tcpdump.

Posted: July 17, 2017. At: 1:02 PM. This was 3 months ago. Post ID: 10942
Page permalink:

How to capture packets from a network with tcpdump and get an FTP login password.

I used this tcpdump command line to capture packets traveling over my network, this was intended to capture an FTP login. I am using an Anonymous login as a example, but there is still a password involved. This way, I can capture an FTP login easily, if I know someone on the network is doing FTP tasks.

localhost /home/jason # tcpdump -A port ftp -i wlp2s0 > dump.out

Now I can get the FTP password from the capture file.

localhost /home/jason # cat dump.out | grep PASS
01:59:57.344755 IP > Flags [P.], seq 17:43, ack 199, win 237, options [nop,nop,TS val 2057831 ecr 1933241270], length 26: FTP: PASS

That is how I managed to capture packets from a FTP session without needing Wireshark installed.

To get information about hosts on a network, use the netdiscover command as root.

└──╼ # netdiscover -r

This is the output that you should get, this shows the IP and MAC addresses of all network nodes.

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                             
 9 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 540                                                                           
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------        e0:b9:e5:b8:31:ba      7     420  Technicolor                                                                            00:13:46:3a:02:83      1      60  D-Link Corporation                                                                    f0:25:b7:fa:01:4a      1      60  Unknown vendor

Another way to scan for live hosts on a LAN is with Nmap. This example will return only live hosts on the network.

└──╼ # nmap -sP -PA21,22,25,3389 #21 is used by ftp
Starting Nmap 7.50 ( ) at 2017-07-17 12:57 UTC
Nmap scan report for dsldevice.lan (
Host is up (0.00054s latency).
MAC Address: E0:B9:E5:B8:31:BA (Technicolor)
Nmap scan report for BLUFOR.lan (
Host is up (-0.088s latency).
MAC Address: 00:13:46:3A:02:83 (D-Link)
Nmap scan report for
Host is up (-0.091s latency).
MAC Address: F0:25:B7:FA:01:4A (Samsung Electro-mechanics(thailand))
Nmap scan report for parrot.lan (
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 19.41 seconds

No comments have been made. Use this form to start the conversation :)

Leave a Reply